Formspring is latest Web service to get hacked, all user passwords disabled [Updated]

One-time red hot social question and answer site Formspring has become the latest Web service to get hacked, after its CEO Ade Olonoh revealed that the site fears its “some” user passwords were accessed.

Formpsring claims to have some 28 million registered users, but it is not clear how many have been affected [update: 420,000 were estimated to have been compromised]. All user passwords have been disable as a security precaution, and users have been contact with a prompt to reset their passwords when they next log-in to the service.

We learned this morning that we had a security breach where some user passwords may have been accessed. In response to this, we have disabled all users passwords. We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords. Users will be prompted to change their passwords when they log back into Formspring. This is a good time to create a strong password.

The company deserves kudos for being upfront with the news, and acting to minimise the potential issues that could follow. That said, the email sent to registered users could be more transparent, it simply cites “security reasons” rather than provide fuller details, as Tech Geek notes.

The irony is that this breach may serve to bring many ‘lost’ users back to the site to fix up their passwords.

The last few months have seen the safety of user passwords become a major issue after LinkedIn and Lastfm became two high profile sites to have had user data accessed by third parties. Dating site eHarmony was also said to have seen 1.5 million passwords stolen.

In the case of LinkedIn, the professional social network had up to 6.5 million user passwords grabbed from its system, although they were said to be hashed and encrypted.

Update: We’ve reached out to Formspring, and the firm revealed that an estimated 420,000 log-ins were compromised, each was salted and sha256 hashed – a system that has now been upgraded.

Here’s the statement we were given in full:

We were notified that approximately 420k password hashes were posted to a security forum, with suspicion from a user that they could be Formspring passwords. The post did not contain usernames or any other identifying information.

Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach. We found that someone had broken into one of our development servers and was able to extract account information from a production database. We were able to immediately fix the hole, and are reviewing our internal security policies and practices to help ensure that this never happens again.

While there’s no evidence to suggest that these passwords were used to gain access to user accounts, we took the precautionary measures of forcing all users to reset their passwords, and upgrading our hashing mechanisms from sha-256 with random salts to bcrypt.